[conspire] Machine rebuild happened on Feb. 1
rick at linuxmafia.com
Tue Feb 8 18:28:22 PST 2005
Quoting William R Ward (bill at wards.net):
> I'm not sure it's as boneheaded as you think. The purpose of SPF as I
> understand it is to verify that the sender is who they claim to be.
It pretty much has to do that via a check of the envelope sender at the
time of the incoming SMTP connection. http://spf.pobox.com/faq.html#basics
Q: Does it protect the "From:" header field?
A: SPF was designed to protect the envelope sender. That means the
return-path that shows up in "MAIL FROM", and to a lesser extent the
HELO argument that is supposed to be an FQDN.
The vast majority of SPF implementations today use the return-path as
the subject of authentication and do not get involved with the header
Protecting authorship information is an important goal. However, the
technical issues associated with protecting the "From:" header are much
more numerous and challenging. The best way to protect the header
"From:" is by using a cryptographic signature such as S/MIME, PGP, or
(when it is released) Yahoo DomainKeys.
If you want to use the "From:" header as the subject of authentication
with SPF, you need to be familiar with the following:
* mailing lists
* /etc/aliases-style forwarding
* MUA "resend this message to"
* web-generated email
* the Sender header
* the Resent-Sender and Resent-From headers
The spfd implementation I have (Debian libmail-spf-query-perl package
version 1.996-1) unfortunately rejected as originating from an
"unauthorized MX" (paraphrasing) my _own_ posts to mailing lists on
various third-party hosts, as well as Heather Stern's posts to the
BayLISA administrative list, as well as all pieces of mail generated by
my own /etc/aliases file. All of that resulted from it relying on
the mail-internal "From:" header rather than the envelope "From" one.
More information about the conspire